mux.Vars() returns variables from the routes, not from the query string.
To get the querystring and its values, you still need to it the way you did before, at least from quickly glancing the mux-docs.
And prepared statements are as safe as prepared statements in the RDBMS you are using are.
Go literally tells your RDBMS this:
GO: Hey, in the near future, someone might ask you about this query: “select UserID, CurrentDB from optUsers where LoginHash = ?”
RDBMS: Okay, I’ll remember that query as “1”
GO: Hey, do you remember Query 1? Here is the missing argument:"deadb33f", its a string.
RDBMS: Okay, here is your result. …
From a language/DB-driver perspective you can not do much anymore to make it more or less secure against SQL-Injection. This is independent from whether or not you use them in PHP, Go, Rust or any other language.